I'm happy to announce the release of Apache Subversion 1.10.8.
Please choose the mirror closest to you by visiting:

    https://subversion.apache.org/download.cgi#supported-releases

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS TWO IMPORTANT SECURITY FIXES:

CVE-2021-28544
"SVN authz protected copyfrom paths regression"

The full security advisory for CVE-2021-28544 is available at:
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
    https://subversion.apache.org/security/CVE-2021-28544-advisory.txt.asc

A brief summary of this advisory follows:

   Subversion servers reveal 'copyfrom' paths that should be hidden according to
   configured path-based authorization (authz) rules.  When a node has been
   copied from a protected location, users with access to the copy can see the
   `copyfrom' path of the original.  This also reveals the fact that
the node was copied.
   Only the 'copyfrom' path is revealed; not its contents. Both httpd
and svnserve
   servers are vulnerable.

   We recommend all users to upgrade to a known fixed release of the
Subversion server.

   This issue was reported by Evgeny Kotkov

CVE-2022-24070
"Subversion's mod_dav_svn is vulnerable to memory corruption"

The full security advisory for CVE-2022-24070 is available at:
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt
    https://subversion.apache.org/security/CVE-2022-24070-advisory.txt.asc

A brief summary of this advisory follows:

   While looking up path-based authorization rules, mod_dav_svn servers
   may attempt to use memory which has already been freed.

   We recommend all users to upgrade to a known fixed release of the
Subversion server.

   This issue was reported by Thomas Weißschuh

SHA-512 checksums are available at:

    https://www.apache.org/dist/subversion/subversion-1.10.8.tar.bz2.sha512
    https://www.apache.org/dist/subversion/subversion-1.10.8.tar.gz.sha512
    https://www.apache.org/dist/subversion/subversion-1.10.8.zip.sha512

PGP Signatures are available at:

    https://www.apache.org/dist/subversion/subversion-1.10.8.tar.bz2.asc
    https://www.apache.org/dist/subversion/subversion-1.10.8.tar.gz.asc
    https://www.apache.org/dist/subversion/subversion-1.10.8.zip.asc

For this release, the following people have provided PGP signatures:

   Julian Foad [rsa4096/1FB064B84EECC493] with fingerprint:
    6011 63CF 9D49 9FD7 18CF  582D 1FB0 64B8 4EEC C493
   Stefan Sperling [rsa2048/4F7DBAA99A59B973] with fingerprint:
    8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Branko Čibej [rsa4096/1BCA6586A347943F] with fingerprint:
    BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
   Mark Phippard [ed25519/C4416167349A3BCB] with fingerprint:
    EC25 FCC1 0561 8D04 ADB4  3429 C441 6167 349A 3BCB
   Johan Corveleyn [rsa4096/B59CE6D6010C8AAD] with fingerprint:
    8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD

These public keys are available at:

    https://www.apache.org/dist/subversion/subversion-1.10.8.KEYS

Release notes for the 1.10.x release series may be found at:

    https://subversion.apache.org/docs/release-notes/1.10.html

You can find the list of changes between 1.10.8 and earlier versions at:

    https://svn.apache.org/repos/asf/subversion/tags/1.10.8/CHANGES

Questions, comments, and bug reports to us...@subversion.apache.org.

Thanks,
- The Subversion Team

Reply via email to